RFC 6114

The 128-Bit Blockcipher CLEFIA

Independent Submission M. Katagi
Request for Comments: 6114 S. Moriai
Category: Informational Sony Corporation
ISSN: 2070-1721 March 2011 The 128-Bit Blockcipher CLEFIA
Abstract
This document describes the specification of the blockcipher CLEFIA.
CLEFIA is a 128-bit blockcipher, with key lengths of 128, 192, and
256 bits, which is compatible with the interface of the Advanced
Encryption Standard (AES). The algorithm of CLEFIA was published in
2007, and its security has been scrutinized in the public community.
CLEFIA is one of the new-generation lightweight blockcipher
algorithms designed after AES. Among them, CLEFIA offers high
performance in software and hardware as well as lightweight
implementation in hardware. CLEFIA will be of benefit to the
Internet, which will be connected to more distributed and constrained
devices.
Status of This Memo
This document is not an Internet Standards Track specification; it is
published for informational purposes.
This is a contribution to the RFC Series, independently of any other
RFC stream. The RFC Editor has chosen to publish this document at
its discretion and makes no statement about its value for
implementation or deployment. Documents approved for publication by
the RFC Editor are not a candidate for any level of Internet
Standard; see Section 2 of RFC 5741.
Information about the current status of this document, any errata,
and how to provide feedback on it may be obtained at
http://www.rfc-editor.org/info/rfc6114.

1. Introduction
Due to the widespread use of the Internet, devices with limited
capabilities, e.g., wireless sensors, are connected to the network.
In order to realize enough security for the network, cryptographic
technologies suitable for such constrained devices are very
important. This recent technology is called "lightweight
cryptography", and the demand for lightweight cryptography is
increasing.
In order to satisfy these needs, a 128-bit blockcipher, CLEFIA, was
designed based on state-of-the-art techniques [FSE07]. CLEFIA is a
128-bit blockcipher, with key lengths of 128, 192, and 256 bits,
which is compatible with the interface of AES [FIPS-197]. Since the
cipher algorithm was published in 2007, its security has been
scrutinized in the public community, but no security weaknesses have
been reported so far.
CLEFIA is a lightweight blockcipher, since it can be implemented
within 3 Kgates using a 0.13-um standard Complementary Metal Oxide
Semiconductor (CMOS) Application-Specific Integrated Circuit (ASIC)
library. Many of the lightweight cryptographic algorithms sacrifice
security and/or speed; however, CLEFIA provides high-level security
of 128, 192, and 256 bits and high performance in software and
hardware. CLEFIA will be of benefit to the Internet, which will be
connected to more distributed and resource-constrained devices.
CLEFIA is proposed in ISO/IEC 29192-2 [ISO29192-2] and the CRYPTREC
project for the revision of the e-Government recommended ciphers list
in Japan [CRYPTREC].
Further information about CLEFIA, including reference implementation,
test vectors, and security and performance evaluation, is available
from http://www.sony.net/clefia/.
2. Notations
This section describes mathematical notations, conventions, and
symbols used throughout this document.
0x : A prefix for a binary string in hexadecimal form
a|b or (a|b) : Concatenation of a and b
(a,b) or (a b) : Vector style representation of a|b
a <- b : Updating a value of a by a value of b
trans(a) : Transposition of a vector or a matrix a
a XOR b : Bitwise exclusive-OR operation

~a : Logical negation
a <<< b : b-bit left cyclic shift operation
a ^ b : a raised to the power of b
a * b : Multiplication in GF(2^n) over a defined polynomial
3. CLEFIA Algorithm
The CLEFIA algorithm consists of two parts: a data processing part
and a key scheduling part. The data processing part of CLEFIA
consists of functions ENCr for encryption and DECr for decryption.
The encryption/decryption process is as follows:
Step 1. Key scheduling
Step 2. Encrypting/decrypting each block of data using ENCr/DECr
The process of the key scheduling is described in Section 6, and the
definitions of ENCr and DECr are explained in Section 5. CLEFIA
supports 128-bit, 192-bit, and 256-bit keys, and the key scheduling
and ENCr/DECr should be appropriately selected for its key length.
4. CLEFIA Building Blocks
4.1. GFN_{d,r}
We first define the function GFN_{d,r}, which is a fundamental
structure for CLEFIA, and then define a data processing part and a
key scheduling part.
CLEFIA uses a 4-branch and an 8-branch generalized Feistel network.
The 4-branch generalized Feistel network is used in the data
processing part and the key scheduling for a 128-bit key. The
8-branch generalized Feistel network is applied in the key scheduling
for a 192-bit/256-bit key. We denote the d-branch r-round
generalized Feistel network employed in CLEFIA as GFN_{d,r}.
For d pairs of 32-bit inputs Xi and outputs Yi (0 <= i < d), and dr/2
32-bit round keys RK_{i} (0 <= i < dr/2), GFN_{d,r} (d = 4,8) is
defined as follows.

F1(RK, x)
input : 32-bit round key RK, 32-bit data x,
output: 32-bit data y
Step 1. T <- RK XOR x
Step 2. Let T = T0 | T1 | T2 | T3, where Ti is 8-bit data,
T0 <- S1(T0),
T1 <- S0(T1),
T2 <- S1(T2),
T3 <- S0(T3)
Step 3. Let y = y0 | y1 | y2 | y3, where yi is 8-bit data,
y <- M1 trans((T0, T1, T2, T3))
S0 and S1 are nonlinear 8-bit S-boxes, and M0 and M1 are 4x4
diffusion matrices described in the following section. In each
F-function, two S-boxes are used in the different order, and a
different matrix is used.
4.3. S-Boxes
CLEFIA employs two different types of 8-bit S-boxes: S0 is based on
four 4-bit S-boxes, and S1 is based on the inverse function over
GF(2^8) [CLEFIA1].
Tables 1 and 2 show the output values of S0 and S1, respectively. In
these tables, all values are expressed in hexadecimal form. For an
8-bit input of an S-box, the upper 4 bits indicate a row and the
lower 4 bits indicate a column. For example, if a value 0xab is
input, 0x7e is output by S0 because it is on the cross line of the
row indexed by "a." and the column indexed by ".b".